Cybersecurity Startup Exposed Hospital Network Data in Demos

Billion-dollar cybersecurity startup Tanium has acknowledged failing to thoroughly anonymize network information for a California hospital that appeared in live product demonstrations and online videos.

It's the second crisis in a week for Tanium, whose CEO is refuting accusations of unsavory behavior and questionable terminations of senior employees.

The data leak admission comes after the Wall Street Journal reported on April 19 that Tanium staff and CEO Orion Hindawi did hundreds of presentations for potential customers from early 2012 through mid-2015 that relied on probing the network of El Camino Hospital, which is based in Santa Clara, California.

The demos came to a halt after Tanium lost access to the hospital's network, and the company began searching for another customer who was willing to give permission, the Journal reported. At least three demo videos were posted online, including one on YouTube by a reseller in 2012. All have now been taken down.

An El Camino Hospital spokeswoman tells Information Security Media Group that it "was not aware of this usage and never authorized Tanium to use hospital material in any sales material or presentation. El Camino Hospital is thoroughly investigating this matter and takes the responsibility to maintain the integrity of its systems very seriously.

In a statement on Tanium's website, Hindawi says that since 2015, the company has written agreements with customers on what data can be shown during a demo "to ensure there isn't any confusion."

But the data leak will likely complicate Tanium's relationships with its current customers and potential new accounts.

"Unbelievably grossly negligent," writes Frank S. Rietta, CEO of Rietta Inc., a web application security company based in Atlanta and Nashville, on Twitter. "So stupid. How did anyone at Tanium think this was okay!?"

Poor Anonymization

Tanium's products are used to quickly pinpoint weaknesses in endpoints and make changes, particularly as an organization is experiencing attacks. That is particularly challenging at scale, especially for organizations running tens of thousands of endpoints, which is the problem that Tanium says its products address.

The Journal reported that the demonstrations exposed information related to security vulnerabilities, server and computers names, anti-virus software versions and some personnel information. El Camino Hospital says Tanium did not have access to patient data.

In response to a request for comment, a Tanium spokeswoman referred to Hindawi's statement. In it, Hindawi doesn't mention El Camino Hospital by name, but writes: "We take responsibility for mistakes in the use of this particular customer's demo environment. We should have done better anonymizing that customer's data."

El Camino Hospital characterizes Tanium as a "third-party vendor." The Journal reports that Allscripts Healthcare Solutions, a large healthcare technology company based in Chicago, had installed Tanium's software on the hospital's network in 2010. A spokeswoman for Allscripts tells ISMG that it did not give permission for Tanium to use the hospital's network for demos.

Preparing a cyberattack defense often involves pulling at threads to complete a picture of how an organization has architected its network, which can reveal weaknesses. Because the demo videos have been pulled offline, it's not possible to see precisely what Tanium failed to anonymize and how attackers might have exploited that information. But this unquestionably represents a staggering failure by a cybersecurity company.

Knowing, for example, that an organization's anti-virus software is out of date is extremely useful. Anti-virus software suites have deep access to computer operating systems, including the all-sensitive kernel. Over the years, researchers have found vulnerabilities in security software that hackers can exploit to gain kernel-level access, completely compromising a computer.

"Toxic Culture" Allegation Dismissed

It's the second crisis to hit Tanium in a week following a report from Bloomberg that nine senior executives have left the company in the past eight months. Some employees were apparently fired before they could cash in their stock options. Unnamed employees have also accused Hindawi of belittling workers and making inappropriate comments.

In his statement, Hindawi dismissed the characterization that Tanium has a "toxic culture." Rather, he said the firm is "highly demanding and mission oriented, and ... we expect our employees to drive themselves hard."

But he did acknowledge that tensions have existed in the workplace. "When taken to an extreme, that drive can make for a stressful environment, which we are working to balance and prevent," he continues. "It is true that I personally can be hard-edged, and that I've had to apologize to people at Tanium when I've gotten too sharp at times."

As far as firings go, those occur when employees "don't meet our ethical or performance standards," rather than to "save a few shares of stock," Hindawi writes.

About the Author

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;